ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Groq Voice Transcribe

v1.0.1

Transcribe audio files via Groq's OpenAI-compatible speech-to-text API. Use when the user sends voice messages or audio files and you need fast cloud speech-...

0· 304·0 current·0 all-time
by@timing-up
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description align with the included script and purpose (cloud transcription via Groq). However, the registry metadata lists no required environment variables or primary credential while the script and SKILL.md clearly require a GROQ_API_KEY — an incoherence between declared requirements and actual need.
Instruction Scope
SKILL.md and scripts are narrowly scoped to sending an audio file to Groq's transcription endpoint and saving the response. The SKILL.md additionally tells the assistant it can place the API key into ~/.openclaw/openclaw.json — an action that writes user configuration and involves handling a secret. This is explainable for setup but should be done explicitly and securely.
Install Mechanism
No install spec; the skill is instruction + a small shell script. Nothing is downloaded from external/unknown URLs or installed automatically, which keeps installation risk low.
!
Credentials
Functionally the skill needs one secret (GROQ_API_KEY) which is proportionate. The concern is that registry metadata did not declare any required env vars or primary credential despite the script depending on GROQ_API_KEY; this mismatch is an integrity problem and could lead to misconfiguration or accidental key disclosure if users follow unclear instructions.
Persistence & Privilege
No elevated privileges requested. always is false and the skill does not request persistent system-level changes beyond optionally writing the API key into the local OpenClaw config (which is limited in scope).
What to consider before installing
This skill's code does exactly what it says: it uploads a local audio file to https://api.groq.com/openai/v1/audio/transcriptions using a GROQ_API_KEY and writes the transcription to a file. Before installing or using it: - Treat the GROQ API key as a secret. Do not paste it into public chats. Prefer setting GROQ_API_KEY in your environment or adding it manually to ~/.openclaw/openclaw.json rather than letting the assistant edit config automatically. - The registry metadata did not list any required env var, but the script requires GROQ_API_KEY — that's an inconsistency. Confirm where you store the key and how it will be used. - The skill will send audio to Groq's cloud for transcription. Only use it for audio you are comfortable sending to an external service. - The package has no install step and the included script is small and readable; you can run the script manually to verify behavior before granting the assistant permission to configure anything. - The skill source and homepage are unknown. If you need stronger provenance, ask the publisher for a homepage or repository and prefer skills with clear authorship. If you decide to proceed: set GROQ_API_KEY locally (export GROQ_API_KEY=...) and run the provided script manually to test, or explicitly instruct the assistant how/where to store the key (and confirm it will not be shared elsewhere).

Like a lobster shell, security has layers — review code before you run it.

latestvk979rwm8cg6m8dxaepv69z6ftn82kf06

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments